[squid-users] Best practice for adding or removing ACLs dynamically ?
Amos Jeffries
squid3 at treenet.co.nz
Sun Nov 1 08:17:58 UTC 2020
On 1/11/20 12:27 pm, roee klinger wrote:
> Thanks Amos!
>
> I updated "auth_param basic credentialsttl" according to your advice and
> it is working great.
>
> I am still having issues with the "tcp_outgoing_address 192.168.8.12
> acl_for_user3002" part, you mentioned:
> > For ACLs with values that are expected to change often it is best to use
> > an external_acl_type helper that manages the updates or fetches from
> > somewhere the updates are handled without a reload.
>
> My script updates the authenticator successfully, but when I update "acl
> acl_for_user3002 proxy_auth user2" to the new username I have to
> reconfigure to take effect.
> I read online for hours but to my best understanding external_acl_type
> are for auth and access control, but they don't work for my needs I believe.
>
> Is there any way to use external_acl_type in a way I don't understand to
> solve this problem? Do I have to reconfigure every time I make changes
> to an ACL in squid.conf?
Some directives have to produce allow/deny result immediately, without
waiting for a helper to respond. The details are documented here:
<https://wiki.squid-cache.org/SquidFaq/SquidAcl>
In modern Squid you can use a helper to set annotations which are
checked with the "note" ACL type in the fast checks.
It sounds a bit like you are trying to tie IPs to individual users.
Please be aware that breaks the multiplexing and persistence features of
HTTP, which is a major performance loss.
Amos
More information about the squid-users
mailing list